Web services security I Uyen Dang & Michel Foé

Web services security I Uyen Dang & Michel Foé

Agenda Context – Architectural considerations of security issues in WS – Security threats in Web services Basic concepts (prerequisites) XML independent tools or technologies – SSL – Kerberos – Authentication on HTTP XML specific tools or technologies – – – – – XML signature XML Encryption XKMS SAML XACML Summary and Q&A

Context (SOA)

Architectural considerations of WS security Where security issues occur in SOA? – Network-level – Application-level

Security threats for Web services Unauthorized access Unauthorized alteration of messages Man in the middle Denial of service

Countermeasures (1) Network-level security: – Firewalls – Intrusion detections systems and vulnerability assessment – Securing network communications symmetric /asymmetric encryption Digital certificates and signatures

Countermeasures (2) Application-level security: – Six requirements Authentication Authorization Message integrity Confidentiality Operational defense Non repudiation

Basic concepts (1) Authentication — Verify the identity of an entity Authorization — Specify access rights to a resource

Basic concepts (2) Integrity — Guarantee that a message did not change in transit/time Confidentiality — Ensure that data is available only to those who are authorized to access

Basic concepts (3) Symmetric encryption /decryption – Secure communication between two parties – Both parties share the same key

Basic concepts (4) Asymmetric encryption /decryption – Secure communication between two parties – Requires public/private keys pair for each party

Basic Concepts(5) Digital signature and certificate — Proof the authenticity and integrity of a document/message — Ensure accountability and non-repudiation (certificates)

SSL (Secure Sockets Layer ) What is SSL? – – – – Web protocol secure communication over TCP/IP connections, provides server and client authentication, data encryption, message integrity.

Kerberos What is Kerberos? – – – – 3rd party Authentication protocol Use ticket and a session key Centralized key management Allows single-sign-on

Authentication on HTTP Login/password authentication Support two methods: Basic authentication – Base64 algorithm to encrypt the string login:password – Highly vulnerable Digest – Apply a hash function to the password

http basic authentication example

XML signature Ensure : –data integrity, –message authentication, –and non-repudiation. 3 types of signatures: – Enveloping – Enveloped – Detached signatures or

XML signature (schema) SignedInfo Signature Key information

XML signature (SignedInfo)

XML Signature (key information)

XML Signature (How does it work?) Generate references – Transformation (eventually) – Compute the digest Generate the signature – – – – Build SignedInfo element Apply CanonicalizationMethod Compute the digest Compute the signature on hash with SignatureMethod Just SignedInfo is signed not referenced resources

XML Signature (Example) enveloping enveloped

XML Encryption Encrypts part/whole XML document Ensure confidentiality Use symmetric encryption

XML Encryption (schema) Encryption method Cipher text

XML Encryption (How does it work?) Encryption – – – – Choose the cryptographic algorithm (3DES , AES, etc.) Get or generate the key Serialize data to encrypt Encrypt Decryption – – – – Identify algorithm and key used Get the key Decrypt Integrate data in the final document

XML Encryption (Example)

XKMS (XML Key Management Spec) Alternative to a complex PKI Ease integration of – Authentication, – signature and certificates, – and encryption for XML- based trust services; Support three major services: – Register – Locate – validate

XKMS (example) 4

SAML Security assertion Markup Language – OASIS standard – framework for creating, requesting, and exchanging security assertions between business partners Ease Single Sign-On

SAML components

SAML assertion

SAML example

XACML eXtensible Access Control Markup Language – extension to SAML – define how to use access information and security policies – offer a vocabulary and syntax for managing authorization decisions Two basics components – Access control policy language – Request /response language

Typical use of XACML and SAML

Summary and Q&A Technology XML signature Main purposes data integrity, authentication, non repudation of services XML encryption promote the trusted use of web applications by encrypting XML entities XKMS simplify the integration of PKI and management of digital certificates with XML applications SAML Standards or exchanging authorization and authentication assertions between services to facilitate Single Sign On XACML Language for managing authorization decisions